Microsoft Security Bulletin (MS00-005)

--------------------------------------



Patch Available for "Malformed RTF Control Word" Vulnerability

Originally Posted: January 17, 2000



Summary

=======

Microsoft has released a patch that eliminates a security vulnerability in

the Rich Text Format (RTF) reader that ships as  part of Microsoft(r)

Windows(r) 95 and 98, and Windows NT(r) 4.0. Under certain conditions, the

vulnerability could be used  to cause email programs to crash.



Frequently asked questions regarding this vulnerability can be found at

http://www.microsoft.com/security/bulletins/MS00-005faq.asp.



Issue

=====

RTF files consist of text and control information. The control information

is specified via directives called control words.  The default RTF reader

that ships as part of many Windows platforms has an unchecked buffer in the

portion of the reader that  parses control words. If an RTF file contains a

specially-malformed control word, it could cause the application to crash.



Microsoft believes that this is a denial of service vulnerability only, and

that there is no capability to use this  vulnerability to run arbitrary

code. The most serious risk from this vulnerability would result if a user

had preview mode  enabled on a mail program like Outlook, and received an

email that exploited the vulnerability. Because preview mode causes  the

mail to be parsed without user assent, the mail program would continue to

crash until a subsequent mail was received or  the mail program was started

with preview mode disabled.



Affected Software Versions

==========================

 - Microsoft Windows 95

 - Microsoft Windows 98

 - Microsoft Windows 98 Second Edition

 - Microsoft Windows NT 4.0 Workstation

 - Microsoft Windows NT 4.0 Server

 - Microsoft Windows NT 4.0 Server, Enterprise Edition

 - Microsoft Windows NT 4.0 Server, Terminal Server Edition



NOTE: Windows 2000 is not affected by this vulnerability.



Patch Availability

==================

 - Windows 95:

   http://www.microsoft.com/windows95/downloads/contents/

   WUCritical/rtfcontrol/default.asp

 - Window 98:

   http://www.microsoft.com/windows98/downloads/contents/

   WUCritical/rtfcontrol/default.asp

 - Windows NT 4.0 Workstation, Windows NT 4.0 Server, and

   Windows NT 4.0 Server, Enterprise Edition:

   Intel:

      http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510

   Alpha:

      http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17511

 - Windows NT 4.0 Server, Terminal Server Edition:

   To be released shortly.



NOTE: Line breaks have been inserted into the URLs above for readability.



NOTE: The Windows 95 and 98 versions of the patch will also be available via

WindowsUpdate shortly. When this happens, we  will modify the bulletin to

note this fact.



NOTE: Additional security patches are available at the Microsoft Download

Center



More Information

================

Please see the following references for more information related to this

issue.

 - Frequently Asked Questions: Microsoft Security Bulletin MS00-005,

   http://www.microsoft.com/security/bulletins/MS00-005faq.asp.

 - Microsoft Knowledge Base (KB) article Q249973,

   Default RTF File Viewer Interrupts Normal Application Processing,

   http://support.microsoft.com/support/kb/articles/q249/9/73.asp.

   (Note: It may take 24 hours from the original posting of this bulletin

   for this KB article to be visible.)

 - Rich Text Format (RTF) Specification and Sample RTF Reader Program,

   Version 1.5,

   http://msdn.microsoft.com/library/specs/

   richtextformatrtfspecificationsamplertfreaderprogramversion15.htm

 - Microsoft Security Advisor web site,

   http://www.microsoft.com/security/default.asp.



NOTE: Line breaks have been inserted into the URLs above for readability.



Obtaining Support on this Issue

===============================

This is a fully supported patch. Information on contacting Microsoft

Technical

Support is available at

http://support.microsoft.com/support/contact/default.asp.



Revisions

=========

 - January 17, 2000: Bulletin Created.



-------------------------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL WARRANTIES, EITHER

EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR  PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS

SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,  INDIRECT,

INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN

IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR

LIMITATION OF  LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE

FOREGOING LIMITATION MAY NOT APPLY.



(c) 2000 Microsoft Corporation. All rights reserved. Terms of Use